Incorporating OAuth: How to integrate OAuth into your mobile app

Download Incorporating OAuth: How to integrate OAuth into your mobile app

Post on 11-May-2015

1.419 views

Category:

Technology

6 download

DESCRIPTION

Presented by Travis Spencer from Twobo Technologies at Nordic APIs in Copenhagen the 21st of May 2013

TRANSCRIPT

1.Incorporating OAuthHow to integrate OAuth into your mobile appBy Travis Spencer, CEO@travisspencer, @2botechCopyright 2013 Twobo Technologies AB. All rights reserved2. Agenda The security challenge in context Neo-security stack OAuth Basics Overview of other layersCopyright 2013 Twobo Technologies AB. All rights reserved 3. Crucial Security ConcernsCopyright 2013 Twobo Technologies AB. All rights reservedEnterpriseSecurityAPISecurityMobileSecurity 4. Identity is CentralCopyright 2013 Twobo Technologies AB. All rights reservedMDM MAMAuthZMobileSecurityAPISecurityEnterpriseSecurityIdentityVenn diagram by Gunnar Peterson 5. Neo-security Stack SCIM, SAML, OAuth, and JWT are the newstandards-based cloud security stack OAuth 2 is the new meta-protocol defining howtokens are handled These address old requirements, solves newproblems & are composedin useful waysCopyright 2013 Twobo Technologies AB. All rights reservedGrandpa SAML& juniorOpenID Connect 6. OAuth Actors Client Authorization Server (AS) Resource Server (RS) (i.e., API) Resource Owner (RO)Copyright 2013 Twobo Technologies AB. All rights reservedGetatokenUser a tokenRS ClientAS 7. OAuth Mobile App FlowCopyright 2013 Twobo Technologies AB. All rights reserved 8. Request AuthorizationCopyright 2013 Twobo Technologies AB. All rights reserved 9. Authenticate & AuthorizeCopyright 2013 Twobo Technologies AB. All rights reserved 10. Register Custom Scheme in AppCopyright 2013 Twobo Technologies AB. All rights reserved 11. Callback to Custom SchemeIn OAuth Server, configure to callback to schemethat was registeredCopyright 2013 Twobo Technologies AB. All rights reserved 12. Exchange Code for TokenCopyright 2013 Twobo Technologies AB. All rights reservedAC 13. Calling the Token Endpointvar data = {"client_id" : clientId,"client_secret" : clientSecret,"code" : code,"grant_type" : "authorization_code","response_type" : "token" };$.post(tokenEndpoint, data,processAccessToken, "json");Copyright 2013 Twobo Technologies AB. All rights reservedAC AT, RT 14. Tokens are Often JWTs Pronounced like the English word jot Lightweight tokens passed in HTTP headers &query strings Akin to SAML tokens Less expressive Less security options More compact Encoded w/ JSON not XMLCopyright 2013 Twobo Technologies AB. All rights reserved 15. Calling the APIProvide AT to API according to bearer token profile$.ajax({url: apiEndpoint,dataType: json,headers: {"Authorization":"Bearer "+accessToken},success: processResults });Copyright 2013 Twobo Technologies AB. All rights reserved 16. API May Validate Tokendef validateToken(self, tokenEndpoint, clientId,clientSecret, accessToken):values = { "client_id" : clientId,"client_secret" : clientSecret,"grant_type" : ","token" : accessToken, }request = urllib2.Request(tokenEndpoint,urllib.urlencode(values))return urllib2.urlopen(request)Copyright 2013 Twobo Technologies AB. All rights reserved 17. App should only presentAT to API Never send RT to API Use RT to get new AT ifAT expires App cant use AT todetermine anything aboutuserApp Consumes API DataCopyright 2013 Twobo Technologies AB. All rights reserved 18. Overview of OpenID Connect Builds on OAuth for profile sharing Uses the flows optimized for user-consentscenarios Adds identity-based inputs/outputs to core OAuthmessages Tokens are JWTsCopyright 2013 Twobo Technologies AB. All rights reserved 19. What OAuth is and is not forCopyright 2013 Twobo Technologies AB. All rights reservedNot for authenticationNot really for authorizationFor delegation 20. Questions & Thanks@2botech@travisspencerwww.2botech.comtravisspencer.comCopyright 2013 Twobo Technologies AB. All rights reserved